Slides from eBay's talk at the OpenStack Summit in Tokyo (Oct 2015) - see https://openstacksummitoctober2015tokyo.sched.org/event/19e95f52289777de81fe04db92f4a082#.VjGHXq4rISQ for details.
Nexus is Bazaarvoice's next generation cloud infrastructure built on top of Amazon Web Services. Nexus is highly available and resilient, built with best practices on top of services such as VPC, Autoscaling, ELB, Cloudformation, and more.
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
This document discusses using OpenLDAP proxy servers to bridge the gap for "dumb" legacy LDAP clients that lack support for security features like TLS and SASL. It describes two approaches: 1) A (Start)TLS-wrapping proxy that introduces TLS between the client and server. 2) A SASL/GSSAPI-wrapping proxy that uses Kerberos tickets to authenticate to the backend server since not all directories support TLS. It also mentions commercial solutions that perform full conversion from simple binds to SASL/GSSAPI by looking up Kerberos principals and requesting tickets.
Despite Amazon’s diligent efforts to secure their Lambda FaaS platform, its intended ability to access a variety of resources and services can be abused for unintended results. This presentation explores the attack surface of the AWS Lambda FaaS platform and how it can be surreptitiously used to circumvent security controls. Specifically, it will demonstrate how to hijack and impersonate Lambda functions, gain persistent remote access to the AWS cloud environment, and reverse engineer the Lambda runtime environment itself.
With Apache Kafka 0.9, the community has introduced a number of features to make data streams secure. In this talk, we’ll explain the motivation for making these changes, discuss the design of Kafka security, and explain how to secure a Kafka cluster. We will cover common pitfalls in securing Kafka, and talk about ongoing security work.
It introduces and illustrates use cases, benefits and problems for Kerberos deployment on Hadoop; how Token support and TokenPreauth can help solve the problems. It also briefly introduces Haox project, a Java client library for Kerberos.
The document discusses Microsoft workloads running on Amazon Web Services (AWS). It provides examples of how customers benefit from running Microsoft products like Windows Server and SQL Server on AWS infrastructure. It highlights how AWS provides familiar tools and licensing options to help customers migrate existing Microsoft workloads to AWS in a cost effective and flexible manner while maintaining security, reliability and performance. The document also introduces the Dedicated Host service on AWS, which allows customers to utilize existing Microsoft licenses by running instances on dedicated physical servers.
Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,
https://www.openstack.org/videos/video/multi-tenancy-for-docker-containers-with-keystone-and-adding-quota-limits
Nexus is Bazaarvoice's next generation cloud infrastructure built on top of Amazon Web Services. Nexus is highly available and resilient, built with best practices on top of services such as VPC, Autoscaling, ELB, Cloudformation, and more.
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
This document discusses using OpenLDAP proxy servers to bridge the gap for "dumb" legacy LDAP clients that lack support for security features like TLS and SASL. It describes two approaches: 1) A (Start)TLS-wrapping proxy that introduces TLS between the client and server. 2) A SASL/GSSAPI-wrapping proxy that uses Kerberos tickets to authenticate to the backend server since not all directories support TLS. It also mentions commercial solutions that perform full conversion from simple binds to SASL/GSSAPI by looking up Kerberos principals and requesting tickets.
Despite Amazon’s diligent efforts to secure their Lambda FaaS platform, its intended ability to access a variety of resources and services can be abused for unintended results. This presentation explores the attack surface of the AWS Lambda FaaS platform and how it can be surreptitiously used to circumvent security controls. Specifically, it will demonstrate how to hijack and impersonate Lambda functions, gain persistent remote access to the AWS cloud environment, and reverse engineer the Lambda runtime environment itself.
With Apache Kafka 0.9, the community has introduced a number of features to make data streams secure. In this talk, we’ll explain the motivation for making these changes, discuss the design of Kafka security, and explain how to secure a Kafka cluster. We will cover common pitfalls in securing Kafka, and talk about ongoing security work.
It introduces and illustrates use cases, benefits and problems for Kerberos deployment on Hadoop; how Token support and TokenPreauth can help solve the problems. It also briefly introduces Haox project, a Java client library for Kerberos.
The document discusses Microsoft workloads running on Amazon Web Services (AWS). It provides examples of how customers benefit from running Microsoft products like Windows Server and SQL Server on AWS infrastructure. It highlights how AWS provides familiar tools and licensing options to help customers migrate existing Microsoft workloads to AWS in a cost effective and flexible manner while maintaining security, reliability and performance. The document also introduces the Dedicated Host service on AWS, which allows customers to utilize existing Microsoft licenses by running instances on dedicated physical servers.
Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,
https://www.openstack.org/videos/video/multi-tenancy-for-docker-containers-with-keystone-and-adding-quota-limits
Migrating from the data center to the cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats.
In the presentation we will cover topics including:
- Minimize attack vectors and surface area
- Perimeter assessments of your VPCs
- Internal vs. External threats
- Monitoring threats
- Re-evaluating Intrusion Detection, Activity Monitoring, and Vulnerability Assessment in AWS
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
This document provides an overview of Amazon Web Services' (AWS) CloudHSM service. It discusses how CloudHSM is tamper-proof and tamper-evident, can be used as a keystore or for document timestamping, and needs to be backed up. It also summarizes how CloudHSM can be integrated with other AWS services like S3, EBS, EC2, Redshift, and RDS. Finally, it briefly discusses auditing capabilities and some common use cases for CloudHSM.
Data protection is more important than ever. Maintaining confidentiality and integrity of your data at scale does not have to be a burden. In this session we will discuss encryption options on AWS and how to leverage AWS Key Management Service (KMS) for data encryption. We will also cover how AWS KMS integrates with other AWS services.
Speaker: Koorosh Lohrasbi, Solutions Architect, Amazon Web Services
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...Amazon Web Services
AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.
- Kerberos is a network authentication protocol developed at MIT in the 1980s to allow clients and servers to authenticate each other over a non-secure network using symmetric-key cryptography and tickets.
- It uses a central authentication server (Key Distribution Center) to authenticate users and distribute session keys to allow communication between users and services on the network in a secure manner.
- The Kerberos workflow involves a client first authenticating with the KDC to obtain a ticket-granting ticket, then using that to request service tickets from the KDC to access specific services.
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
This document summarizes a talk on building AWS partner applications using IAM roles. It discusses using the AssumeRole API to access AWS resources across accounts with temporary credentials instead of long-term access keys. It also covers using an external ID parameter to prevent confused deputy attacks by verifying the account being accessed belongs to the user. The document provides code samples and recommends architectures that use least privilege and isolate privileged instances.
This document discusses various methods for web security including HTTP authentication using usernames and passwords, digest authentication as an improvement over basic authentication, secure sockets layer (SSL) for encrypting communications, and the Java cryptographic packages including JCE for encryption/decryption, JSSE for SSL/TLS support, JAAS for authentication and authorization, Java GSS API for Kerberos support, and the Java Certification Path API for validating certificate chains.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
This document provides a high-level overview of how Kerberos authentication works. It explains that Kerberos uses a trusted third party called the Key Distribution Center (KDC) to mediate authentication between users and services. The KDC distributes session keys to allow communication and verifies users' identities through cryptographic operations. It also describes how Kerberos implements single sign-on through the use of ticket-granting tickets obtained from the KDC. Some advantages of Kerberos include strong authentication without sending passwords over the network and more convenient single sign-on for users.
The document discusses secure content delivery with AWS. It provides an overview of Amazon CloudFront as a content delivery network (CDN) and how it can accelerate content delivery globally. It also discusses AWS Certificate Manager (ACM) for provisioning SSL/TLS certificates and integrating with CloudFront. The document then delves into how CloudFront enables secure content delivery and advanced SSL/TLS features like session tickets and OCSP stapling. It concludes with an overview of AWS Web Application Firewall (WAF) and how it can protect websites and applications from attacks.
This document discusses Okta's use of AWS KMS for encryption key management. It provides background on Okta as a company and describes their requirements for encryption. It then details Okta's implementation of AWS KMS for encrypting user data, including how they structure encryption keys and handle failures. The document also addresses authorization, auditing, performance tuning and rollout considerations for using AWS KMS.
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or LessAmazon Web Services
This document provides a summary of an AWS session on becoming an IAM policy expert in 60 minutes or less. It covers key IAM policy concepts like principal, action, resource, and condition elements. Examples are given for each element to show how policies can be used to control access to AWS services like EC2, S3, and IAM. The session also demonstrates how to use policy variables and debug policies. Attendees would learn tips and tricks for common use cases through demos of limiting EC2 instance types and using conditions.
The document outlines the agenda for a user group meeting on AWS VPC topics. The agenda includes reviewing default and custom VPCs, NAT instances and gateways, VPC peering, flow logs, endpoints, VPN connections, Direct Connect, limits and pricing, and exam tips. It also lists past topics such as storage, compute, databases, and networking services, as well as upcoming topics such as Lambda, cost optimization, and machine learning.
Microsoft Active Directory is the foundation for distributed networks built on Windows Server. Learn how our new Active Directory Reference Implementation Guide can help you deploy highly available AD Domain Services on AWS in about an hour.
Included will be an overview of the reference architecture, implementation guide, and Cloud Formation templates, which automate much of the process. Two scenarios are covered: one fully cloud-based and one hybrid, using AWS Direct Connect to extend an existing on-premises AD solution into the AWS Cloud.
AWS provides several managed database services that simplify encryption and security management including Amazon DynamoDB, Amazon Redshift, and Amazon Aurora. These services offer features such as server-side encryption using AWS Key Management Service (KMS), multi-AZ deployment for high availability, cross-region replication for disaster recovery, integration with AWS Identity and Access Management (IAM) for access control, and integration with AWS CloudTrail for auditing. Customers can focus on their applications rather than complex database security tasks when using these AWS database services.
Hardening cassandra for compliance or paranoiazznate
Cassandra at rest encryption, inter-node communication encryption, client-server communication encryption, authentication, authorization, and securing JMX management were discussed. The document provided guidance on implementing encryption at rest using commercial and open source options, setting up SSL for inter-node and client-server communication using self-signed certificates, implementing authentication and authorization best practices from RBMS, and securing JMX access.
The document discusses securing applications and infrastructure deployed on Amazon Web Services (AWS). It begins by noting how moving to the cloud requires rethinking traditional perimeter security approaches. It then outlines different attack vectors in AWS like access control management, network access controls, and vulnerabilities in services like EC2, S3, RDS, SQS and SNS. The document emphasizes performing security assessments of the entire AWS configuration rather than just individual resources. It also recommends using tools like AWS CloudTrail to gain visibility into API usage and help detect any unauthorized access.
This document discusses Dapr, an open source runtime that makes it easy to build distributed applications on Kubernetes. It provides concise summaries of Dapr components like state management, publish/subscribe, secrets management, and more. Code samples show how to use Dapr building blocks like state stores and service invocation from Python, Node.js, and .NET applications on Kubernetes and standalone.
The document discusses how treating containers as "cattle" rather than "pets" can help address issues like heterogeneity, operational overhead, and change fragility in container management. It advocates implementing the classical automation cycle of provisioning, deploying, monitoring, and remediating containers while observing their current state and converging it to the desired state as described in policies. This treats containers as generic and ephemeral resources rather than individually managed assets, hiding the full infrastructure stack behind the cluster manager.
The document describes the evolution of engineering operations at eBay from a small manually maintained dev/test cloud to a large automated production infrastructure running the business. It went from a dev to ops ratio of 1:0 with no automation and thousands of nodes distributed across several availability zones operated 24x7 with a dev to ops ratio of 5:1. The document recommends treating infrastructure as code, managing drift through automation and audits, measuring everything as another product feature, and fostering a culture of shared accountability between dev and ops.
Migrating from the data center to the cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats.
In the presentation we will cover topics including:
- Minimize attack vectors and surface area
- Perimeter assessments of your VPCs
- Internal vs. External threats
- Monitoring threats
- Re-evaluating Intrusion Detection, Activity Monitoring, and Vulnerability Assessment in AWS
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
This document provides an overview of Amazon Web Services' (AWS) CloudHSM service. It discusses how CloudHSM is tamper-proof and tamper-evident, can be used as a keystore or for document timestamping, and needs to be backed up. It also summarizes how CloudHSM can be integrated with other AWS services like S3, EBS, EC2, Redshift, and RDS. Finally, it briefly discusses auditing capabilities and some common use cases for CloudHSM.
Data protection is more important than ever. Maintaining confidentiality and integrity of your data at scale does not have to be a burden. In this session we will discuss encryption options on AWS and how to leverage AWS Key Management Service (KMS) for data encryption. We will also cover how AWS KMS integrates with other AWS services.
Speaker: Koorosh Lohrasbi, Solutions Architect, Amazon Web Services
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...Amazon Web Services
AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.
- Kerberos is a network authentication protocol developed at MIT in the 1980s to allow clients and servers to authenticate each other over a non-secure network using symmetric-key cryptography and tickets.
- It uses a central authentication server (Key Distribution Center) to authenticate users and distribute session keys to allow communication between users and services on the network in a secure manner.
- The Kerberos workflow involves a client first authenticating with the KDC to obtain a ticket-granting ticket, then using that to request service tickets from the KDC to access specific services.
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
This document summarizes a talk on building AWS partner applications using IAM roles. It discusses using the AssumeRole API to access AWS resources across accounts with temporary credentials instead of long-term access keys. It also covers using an external ID parameter to prevent confused deputy attacks by verifying the account being accessed belongs to the user. The document provides code samples and recommends architectures that use least privilege and isolate privileged instances.
This document discusses various methods for web security including HTTP authentication using usernames and passwords, digest authentication as an improvement over basic authentication, secure sockets layer (SSL) for encrypting communications, and the Java cryptographic packages including JCE for encryption/decryption, JSSE for SSL/TLS support, JAAS for authentication and authorization, Java GSS API for Kerberos support, and the Java Certification Path API for validating certificate chains.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
This document provides a high-level overview of how Kerberos authentication works. It explains that Kerberos uses a trusted third party called the Key Distribution Center (KDC) to mediate authentication between users and services. The KDC distributes session keys to allow communication and verifies users' identities through cryptographic operations. It also describes how Kerberos implements single sign-on through the use of ticket-granting tickets obtained from the KDC. Some advantages of Kerberos include strong authentication without sending passwords over the network and more convenient single sign-on for users.
The document discusses secure content delivery with AWS. It provides an overview of Amazon CloudFront as a content delivery network (CDN) and how it can accelerate content delivery globally. It also discusses AWS Certificate Manager (ACM) for provisioning SSL/TLS certificates and integrating with CloudFront. The document then delves into how CloudFront enables secure content delivery and advanced SSL/TLS features like session tickets and OCSP stapling. It concludes with an overview of AWS Web Application Firewall (WAF) and how it can protect websites and applications from attacks.
This document discusses Okta's use of AWS KMS for encryption key management. It provides background on Okta as a company and describes their requirements for encryption. It then details Okta's implementation of AWS KMS for encrypting user data, including how they structure encryption keys and handle failures. The document also addresses authorization, auditing, performance tuning and rollout considerations for using AWS KMS.
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or LessAmazon Web Services
This document provides a summary of an AWS session on becoming an IAM policy expert in 60 minutes or less. It covers key IAM policy concepts like principal, action, resource, and condition elements. Examples are given for each element to show how policies can be used to control access to AWS services like EC2, S3, and IAM. The session also demonstrates how to use policy variables and debug policies. Attendees would learn tips and tricks for common use cases through demos of limiting EC2 instance types and using conditions.
The document outlines the agenda for a user group meeting on AWS VPC topics. The agenda includes reviewing default and custom VPCs, NAT instances and gateways, VPC peering, flow logs, endpoints, VPN connections, Direct Connect, limits and pricing, and exam tips. It also lists past topics such as storage, compute, databases, and networking services, as well as upcoming topics such as Lambda, cost optimization, and machine learning.
Microsoft Active Directory is the foundation for distributed networks built on Windows Server. Learn how our new Active Directory Reference Implementation Guide can help you deploy highly available AD Domain Services on AWS in about an hour.
Included will be an overview of the reference architecture, implementation guide, and Cloud Formation templates, which automate much of the process. Two scenarios are covered: one fully cloud-based and one hybrid, using AWS Direct Connect to extend an existing on-premises AD solution into the AWS Cloud.
AWS provides several managed database services that simplify encryption and security management including Amazon DynamoDB, Amazon Redshift, and Amazon Aurora. These services offer features such as server-side encryption using AWS Key Management Service (KMS), multi-AZ deployment for high availability, cross-region replication for disaster recovery, integration with AWS Identity and Access Management (IAM) for access control, and integration with AWS CloudTrail for auditing. Customers can focus on their applications rather than complex database security tasks when using these AWS database services.
Hardening cassandra for compliance or paranoiazznate
Cassandra at rest encryption, inter-node communication encryption, client-server communication encryption, authentication, authorization, and securing JMX management were discussed. The document provided guidance on implementing encryption at rest using commercial and open source options, setting up SSL for inter-node and client-server communication using self-signed certificates, implementing authentication and authorization best practices from RBMS, and securing JMX access.
The document discusses securing applications and infrastructure deployed on Amazon Web Services (AWS). It begins by noting how moving to the cloud requires rethinking traditional perimeter security approaches. It then outlines different attack vectors in AWS like access control management, network access controls, and vulnerabilities in services like EC2, S3, RDS, SQS and SNS. The document emphasizes performing security assessments of the entire AWS configuration rather than just individual resources. It also recommends using tools like AWS CloudTrail to gain visibility into API usage and help detect any unauthorized access.
This document discusses Dapr, an open source runtime that makes it easy to build distributed applications on Kubernetes. It provides concise summaries of Dapr components like state management, publish/subscribe, secrets management, and more. Code samples show how to use Dapr building blocks like state stores and service invocation from Python, Node.js, and .NET applications on Kubernetes and standalone.
The document discusses how treating containers as "cattle" rather than "pets" can help address issues like heterogeneity, operational overhead, and change fragility in container management. It advocates implementing the classical automation cycle of provisioning, deploying, monitoring, and remediating containers while observing their current state and converging it to the desired state as described in policies. This treats containers as generic and ephemeral resources rather than individually managed assets, hiding the full infrastructure stack behind the cluster manager.
The document describes the evolution of engineering operations at eBay from a small manually maintained dev/test cloud to a large automated production infrastructure running the business. It went from a dev to ops ratio of 1:0 with no automation and thousands of nodes distributed across several availability zones operated 24x7 with a dev to ops ratio of 5:1. The document recommends treating infrastructure as code, managing drift through automation and audits, measuring everything as another product feature, and fostering a culture of shared accountability between dev and ops.
This document discusses REST theory versus practice. It begins with introducing the two speakers, Subbu Allamaraju and Mike Amundsen. The objectives of the talk are then outlined, which are to understand that REST is a set of constraints that can be knowingly relaxed, work with underlying protocols, and apply sound software engineering. Common REST principles are then explained including identifying resources, using URIs, designing representations, using a uniform interface, and using hypermedia as the engine of application state. An example address book REST API is then demonstrated. The talk concludes by discussing practical considerations when implementing REST including managing concurrency, being creative with URIs, and that IDs alone are not as good as full URIs.
My talk about REST in Barcelona Software Craftsmanship Meetup on May 19, 2014.
http://www.meetup.com/Barcelona-Software-Craftsmanship/events/173793192/
- eBay runs OpenStack as its private cloud infrastructure, providing on-demand access to computing resources for various eBay brands and services on shared infrastructure.
- eBay uses OpenStack APIs and multiple availability zones and regions to provide high availability and scale capacity across its global infrastructure.
- eBay has developed tools like StackWatch and StackMetrics to monitor OpenStack performance, simulate workloads, and detect issues in the cloud.
This document provides an overview of Azure HDInsight and options for building data lakes in the cloud. It discusses HDInsight's advantages like preserving existing Hadoop investments. It also covers Azure's data landscape including storage, streaming, ETL, and orchestration options. Key technologies are compared like Hive, Spark, and Storm. Best practices are shared around monitoring, security, data transfer, and disaster recovery.
A Journey to Magical Security Creatures' LandMongoDB
This document discusses security options for MongoDB databases using a metaphor of a "monster pack". It describes various authentication methods like SCRAM, x.509 certificates, LDAPS, and KERBEROS. Authorization methods include RBAC and LDAPS. Encryption can be applied at rest and in transit using TLS. Other options are IP whitelisting, auditing, and restricted access. Three scenarios involving different MongoDB users are presented and recommended security setups are provided for each scenario based on their unique needs and resources.
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSpark Summit
This document discusses securing Spark applications. It covers encryption, authentication, and authorization. Encryption protects data in transit using SASL or SSL. Authentication uses Kerberos to identify users. Authorization controls data access using Apache Sentry and the Sentry HDFS plugin, which synchronizes HDFS permissions with higher-level abstractions like tables. A future RecordService aims to provide a unified authorization system at the record level for Spark SQL.
This document discusses securing Spark applications. It covers encryption, authentication, and authorization. Encryption protects data in transit using SASL or SSL. Authentication uses Kerberos to identify users. Authorization controls data access using Apache Sentry and the Sentry HDFS plugin, though a future RecordService aims to provide unified authorization. Securing Spark leverages existing Hadoop security but more integration work remains.
NServiceBus in Azure - A Right Tool for the Web(Job)?Sean Feldman
This document discusses using NServiceBus on the Azure cloud platform. It introduces NServiceBus concepts like messages, commands, events, and endpoints. It then covers different Azure hosting options like IaaS VMs, PaaS cloud services, and serverless PaaS options like App Service. It explains how NServiceBus leverages different Azure services for messaging, storage, and hosting. It provides an example of using NServiceBus with Azure Service Bus and Storage. Finally, it emphasizes that NServiceBus simplifies middleware and messaging on Azure so developers can focus on application logic rather than infrastructure concerns.
The document provides an overview of the OWASP Cheat Sheet Series, which aims to collect useful information about web application security in one place. It lists several active and draft cheat sheet topics, including authentication, input validation, SQL injection, session management, and secure coding. One sample cheat sheet discussed in more detail is about transport layer protection, covering benefits, requirements, rules, and testing of TLS/SSL. The logging cheat sheet section discusses logging purposes, event sources, where and what events to log, what not to log, and testing considerations.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
Kerberos addresses the core needs of authentication, authorization, and auditing for computer and network security. It provides a centralized account repository and uses tickets to verify the identity of users and servers while optionally encrypting communications. Kerberos involves a password being shared between a user and key distribution center (KDC) to obtain initial credentials in the form of a ticket-granting ticket stored in a credentials cache.
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Erlend Oftedal, Blank
Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems.
At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.
This document provides an overview of AWS Cloud services and tools for building scalable and highly available cloud infrastructure. It discusses compute, storage, database, messaging/notification services, and automation/orchestration tools. It also covers availability zones, elasticity, identity and access management, and networking/connectivity options like VPC and VPN. The document aims to help readers understand how to architect for scale and redundancy using AWS building blocks.
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
Building Open Source Identity Management with FreeIPALDAPCon
FreeIPA is an open source identity management solution that integrates authentication, authorization, policies and other identity management features in a centralized manner. It aims to simplify identity management for Linux and Unix systems in a similar way that Active Directory does for Windows. FreeIPA also allows for integration with Active Directory domains through cross-realm Kerberos trusts, allowing single sign-on for users between Linux and Windows systems.
The document provides information about security patterns with WSO2 ESB. It introduces Jeewantha Dharmaparakrama and Isuru Udana, software engineers from WSO2, as presenters. It then discusses security requirements and how WSO2 ESB supports WS-Security, transport level security using HTTPS, and OAuth and entitlement with mediators. Specific security patterns covered include authentication, authorization, data confidentiality, integrity and non-repudiation.
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan VMware Tanzu
This document discusses CredHub, a tool for centralized credential management. It delivers cradle-to-grave management of credentials, including creation, access control, distribution, rotation, and logging. Credentials are encrypted at rest and include passwords, certificates, SSH keys, and arbitrary values. The document outlines CredHub's architecture, credential types, REST API, language bindings, service bindings workflow, and availability. It demonstrates how CredHub improves security when used with platforms and pipelines.
AWS is architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely. When using AWS, not only are infrastructure headaches removed, but so are many of the security issues that come with them.
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?
Security in IaaS, attacks, hardening, incident response, forensics and all about its automation. Despite I will talk about general concept related to AWS, Azure and GCP, I will show specific demos and threats in AWS and I will go in detail with some caveats and hazards in AWS.
The presentation was given on 11/12/2018 on CloudExpo NY. The presentation talks about software portability approaches and technologies on Kubernetes, microservices, service mesh, and serverless platforms
Similar to Keystone at the Center of Our Universe (20)
On March 12, 2019 Google experienced a 4 hour and 10 minute service disruption in their internal blob storage service. The outage was caused by a configuration change made by SREs on March 12th to reduce storage usage, which had the unintended side effect of overloading a key system. The document discusses principles for building highly available systems drawn from Google's experiences, including embracing constant change, hybrid architectures, observability, and value-based decision making.
This document discusses leading a transformation to cloud technologies. It provides guidance in 4 key areas: 1) Investing to drive a high rate of change, 2) Picking big projects to replatform early, 3) Having a point of view on being cloud native, and 4) Preparing to be in a hybrid state for some time. The goal is to transition to the cloud in a way that is faster, better, cheaper, safer, and more reliable. Cloud services provide many building blocks to evolve architectures, but transformations take time and hybrid states are common during the process.
How to bring in safety back into an organizational culture when the contemporary patterns used to increase the rate of change also contribute to increased fragility? In this talk, we will look at contributing factors, the limits of chaos testing, and patterns and practices needed to support a high rate of change while also maintaining system safety.
Presented at:
Feb 6, 2019 at https://conferences.oreilly.com/software-architecture/sa-ny/schedule/2019-02-06
Mar 26, 2019 at https://t3ch.amadeus.com/agenda
What Worked for Netflix May Not Work for You (OSCON-2018)Subbu Allamaraju
This document discusses Netflix's transition to a cloud native architecture and lessons learned that may be applicable to other companies. The key points are:
1. Organic migrations don't work and big changes need to be planned from the start.
2. Embracing managed cloud services and standardizing what to centralize makes migrations easier.
3. Security, controls, and costs need consideration upfront to avoid issues later.
4. Having guardrails for decision making is important but not being too constrained.
5. Learning from failures and getting comfortable with change is part of becoming cloud native.
Slides from my keynote presentation at the Container World 2018 conference (https://tmt.knect365.com/container-world/speakers/subbu-allamaraju#keynote-programming_keynote-are-we-ready-for-serverless)
The document discusses building an interoperable programmable web through common agreements on discovery, linking, schemas, media types, formats and interfaces. It proposes using HTTP as the common protocol and representing data through common formats to allow different systems and APIs to interact. It also suggests using SQL-like constructs to enable operations like querying, filtering, joining and orchestrating requests across multiple APIs.
This document discusses the ql.io open source project, which provides a domain specific language (DSL) for making HTTP requests. The DSL allows HTTP resources to be treated like database tables, enabling CRUD operations on those resources with a SQL-like syntax. Ql.io can be used as an HTTP gateway and allows parallelizing and joining requests. It aims to simplify writing code for making API calls. The document provides examples of using the ql.io DSL and discusses how it can be used as a Node.js module.
This document summarizes ql.io, a domain specific language for consuming HTTP APIs. Ql.io allows API calls to be made with fewer lines of code and reduced data sizes compared to traditional HTTP requests. It handles parallelizing requests and joining responses implicitly. Ql.io also allows mapping HTTP resources to SQL-like queries, enabling sequential and parallel queries over multiple APIs with a simple syntax. It can be used as an HTTP gateway or from Node.js.
This document discusses measuring the effectiveness of REST architectures. It outlines different levels of understanding REST and lists qualities that could be measured like performance, scalability, simplicity and constraints adherence. However, the document argues that proving REST leads to these qualities is difficult without tying the constraints to specific scenarios and priorities. It proposes a process to agree on what qualities matter, contextualize them into measurable scenarios, prioritize scenarios, and then evaluate solutions based on how well they meet the prioritized scenarios.
This document summarizes Subbu Allamaraju's presentation on building RESTful web APIs. The presentation covers REST architecture constraints including identifying resources with URIs, manipulating resources through representations, self-descriptive messages, and hypermedia as the engine of application state. It also discusses building RESTful HTTP APIs by using the HTTP methods like GET, POST, PUT, DELETE according to their definitions and designing resources around domain nouns. The presentation provides examples of RESTful and non-RESTful API designs.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
7. IAMwithout actually managing users
Global, available, secure
Semi-trusted cloud
services
(in the control plane)
Untrusted cloud
users
8. Global Keystone
in a Trusted
Control Plane
Multi-factor
authentication
API Keys
API Extensions
9. LB VIP LB VIP LB VIP
Donor
…
DNS routing (affinity based) for DB
ks
LB VIP
ks… ks
LB VIP
ks… ks
LB VIP
ks…
DNS routing (affinity based) for Keystone service
Galera based replication of select tables
10. 10 new tokens/sec on average – peak at 100
tokens/sec
High write latencies (~400 msec)
Started with PKI, moved to PKIZ (60%
reduction)
13. Two Factor Authentication
A per-VPC policy
VPC is a property of a project
All projects in a given VPC share the policy
Entirely dynamic and configuration driven
17. POST /api_key
X-Auth-Token A valid auth token (header)
source_project_id An optional source project (defaults to
current)
expires-at An optional expiry
role_ids An optional subset of roles
group_ids An optional subset of groups
ip_addresses An optional subset of sources (default
to the project’s compute VPC)
18. Limited Authentication Boundary
Blocked if the caller source is not whitelisted
Blocked if used from a different VPC
Blocked if used from a different project